The Line 8 Subway 

Exploitation of Windows 8 Metro Style Apps 


Ming-chieh Pan, Sung-tingTsai. Core Tech, Trend Micro. 
Contact: (nanika_pan |tt_tsai)@trend\.com\.tw 


Abstract 


Windows 8 introduces lots of security improvements; one of the most interesting features is 
the Metro-style app. It not only provides fancy user interface, but also a solid application 
sandbox environment. All Metro-style applications run in AppContainer, and the AppContainer 
sandbox isolates the execution of each application. It can make sure that an App does not have 
access to capabilities that it hasn't declared and been granted by the user. 


This presentation will introduce the design of Metro-style app as well as AppContainer sandbox. 
We will dive into details of the architecture and see how it works, how does it protect from a 
malicious App attack. After reviewing the design, we are going to look for possible attack 
vectors to bypass the sandbox. Analysis will start from low level to high level. We will describe 
how we find the target to attack, and how we do analyze in different layers, such as debug of 
APLC, COM server attack, WinRT API fuzzing, and logic flaw discovery. Not only the 
methodology, we will also demonstrate some problems we have discovered, including tricks to 
bypass AppContainer to access files, launch program, and connect to Internet. 
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1. Introduce the Security Design of Metro Style Apps 


1.1 Configuration and Limitation 

Metro style apps developer must specify which resource they need to access by declaring the 
capabilities in its package manifest. After submitting to the Windows store, it is checked to 
ensure that the declared capabilities match the description of the app. It is not allowed to 
access the resource it doesn't declare. 

The capability settings include 3 types of resource: 

• Network: Enterprise auth., client, server & client, Intranet, Text, Messaging, etc. 

• File System: Documents, Pictures, Music, Video, etc. 

• Devices: Location (e.g. GPS), Microphone, Proximity (e.g. NFC), Removable 
storage, etc. 

(Things that are specific to an application (local storage, settings, etc.) do not require 
capabilities.) 

Following picture shows the capability settings: 
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The properties of the deployment package for your app are contained in the app manifest file. You can use the 
Manifest Designer to set or modify one or more of the properties. 


Declarations 


Content URIs 


Packaging 


Application Ul 


Capabilities 


Capabilities: 


Description: 

Enables adding, changing, or deleting files in the documents libr 
types that are defined by the file type association handler declara 
cannot access document libraries on HomeGroup computers. 
More information 



I - ! Enterprise Authentication 
l~~l Home or Work Networking 


I I Internet (Client & Server) 
I I Internet (Client) 

I I Location 

n Microphone 

I~1 Music Library 

l~~l Pictures Library Access 

l~l Proximity 

|~1 Removable Storage 

I~1 Shared User-Certificates 

I~1 Text Messaging 

I~1 Videos Library Access 

I I Webcam 


When users get apps from the Windows Store, they are notified of all the capabilities that the 
app declares. 
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1.2 WinRT Environment and APIs 

Windows Runtime (WinRT API) is the backbone of the new Metro-style apps (also known as 
Immersive) in the Windows 8 operating system. It provides a set of API that can be called 
from .NET languages (C#, VB.NET, F#), C++, and HTML/JavaScript. 


Metro style Apps 

XAML I I HTML /CSS 


C C# JavaScript 

C++ VB (Chakra) 



(Picture source: http://blogs.msdn.com/b/b8/archive/2012/02/09/building-windows-for-the- 
arm-processor-architecture.aspx ) 































The architecture provides safe, secure, and sandboxed design, so Metro style apps need to use 
WinRT API to access resources from OS. 


1.3 AppContainer Sandbox 

An application sandbox is a mechanism to isolate untrusted processes, protecting system from 
exploit attack. AppContainer is a new sandbox design in Windows 8. All metro style apps run in 
a security 'sandbox' called the AppContainer that isolates them from other Metro apps and 
from the operating system. 

Isolated process which runs with very limited rights. They need to communicate with a broker 
process to run all privilege commands/operations. An IPC mechanism to allow isolated 
processes to communicated with broker. 


The architecture of AppContainer sandbox: 



(Picture source: http://ameblo.ip/naoshill28/entry-11049964906.html ) 

















1.4 App Confidence 

Not only WinRT and AppContainer, Windows also provide lots of security features to secure 
Metro style apps, such as App Signatures, Certification Kit, etc. 


Telemetry 

Feedback 


Frictionless 
Install v 


Windows 8 SDK for Windows App 

Metro style apps Certification Kit 

\ \ / 

App Confidence 

S \ ^ 

Store * \ AppContainer 

Onboarding 


App Signatures 


Ratings &Reviews 


(Picture source: http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and- 
trustworthy-metro-style-apps.aspx) 

We agree all of these designs really provide a secure execution environment for Metro style 
apps. We would say, exploit metro style app is not easy. 

In this paper, we will focus on the sandbox bypassing part. We are going to review the 
architecture of AppContainer, and explain how we look for problems, and to see is it possible to 
bypass AppContainer sandbox. 


2. Sandbox Bypassing Analysis 

2.1 Previous Work on Sandbox Bypassing 

There are some typical approaches to bypass an application sandbox: 

• Exploit kernel or privilege escalation vulnerabilities to escape sandbox. 

• File system: looking for accessible folders/files and registries, especially some writable 
locations on the disk. And to see what we can do or what we can get from these places. 


• Sending message or keyboard events to outside of sandbox, it might trigger some 
privilege actions. 

• Leverage special handles: some available handles might be used to communicate with 
other process or resources. 

However, we will not use above approaches to bypass sandbox. We are going to provide 
some new techniques targeting architecture of Metro style apps and the AppContainer. 


2.2 The Target 

In order to bypass Sandbox, usually the first target is the broker process. In Metro style apps, 
our target is the RuntimeBroker. 



2.3 Attack Vectors 

Metro style apps are based on WinRT, and WinRT is essentially a COM-based API. Metro style 
apps communicate with the RuntimeBroker through COM interfaces. Under the COM, there is 
the APLC communication in Kernel. Following graph shows the flow of communication between 
a Metro style app and RuntimeBroker. 
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From the architecture view, there are three attack vectors: APLC, COM, and WinRT. Plus the 
logic design flaw, we are going to discuss four attack vectors in following chapters: 

• Debug of ALPC 

• Attack COM Server 

• Attack WinRT 

• Discover Design Logic Flaw 


2.4 DLLs and Writing Shellcode 

Since there is no Win32 COM API we can use directly, we need to write shellcode to use COM 
APIs. There are something should be noted: 

• Originally COM API is in the ole32.dll, however, COM API has been moved to 
combase.dll in Windows 8. 

• When you writing shellcode, InlnitOrder.blink is the base address of kernelbase.dll, not 
kernel32.dll. 

• There are still some WinRT COM APIs we can leverage, such as Ro* APIs. 
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3. Debug of ALPC communication 


The first step of analyzing communication of metro style apps is to see what we can do in APLC 
communication. 

Message Flow 

3.1 Message Flow 



( Ref: http://www.quarkslab.com/dl/2012-HITB-WinRT.pdf) 

As you see in this picture, COM is responsible for the communications between metro style app 
and Runtimebroker. For example, to access one file, the metro style app marshals its request 
via COM, then passes it to Runtimebroker by ALPC. Once Runtimebroker receives the 
marshaled-request, first it has to un-marshals the request via COM to get the request data. 
After Runtimebroker successfully auditing the request's privileges, it opens the file and passes 
contents to app following the same marshaling mechanisms. So this is the flow between metro 
style app and runtime broker 
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3.2 ALPC Syscal 

Here is the list of communication related ALPC syscall: 

• 82027flc 8247ba70 ntINtAIpcSendWaitReceivePort 

• 82027f5c 824defc4 ntINtAIpcCreatePort 

• 82027f60 824e9ae4 ntINtAIpcConnectPort 

• 82027f6c 824f78de ntINtAIpcAcceptConnectPort 

We are interested in these 4 API. ntINtAIpcSendWaitReceivePort is in charge of send and 
receive data; ntINtAIpcCreatePort is in charge of Port creating; ntINtAIpcConnectPortis in 
charge of Port connecting; ntINtAIpcAcceptConnectPortis in charge of connection accepting. If 
we can get data/content through this communication channel, that would be very helpful for 
debug of ALPC communication. So we decide to hook these APIs. 


3.3 HOOK and Monitoring ALPC communication 

In order to analyze the communication data, here we provide 4 windbg scripts to help debug. 
These 4 scripts can grab the communication data. We also wrote an automatic testing program 
for Metro style app testing, by continually sending crafted data to NtAIpcSendWaitReceivePort. 

Hook NtAIpcSendWaitReceivePort: 


bp ntdlllNtAIpcSendWaitReceivePort ".catch{r @$tlO = 0xe4c;.if(@$teb != 0){.if(poi(@$teb+20) 
= @$tlO){!handle poi(esp+0x4);.process; .printf \"PID:%x PortHandle:%x Flags:%x 
SendMessage:%x SendMessageAttributes:%x ReceiveMessage:%x BufferLength:%x 
ReceiveMessageAttributes:%x 

Timeout:%x\r\n\",poi(@$teb+20),poi(esp+0x4),poi(esp+0x8),poi(esp+0xc),poi(esp+0xl0),poi(es 
p+0xl4),poi(esp+0xl8),poi(esp+0xlc),poi(esp+0x20);.if(poi(esp+c)!=0){.printf \"send:\";dt 
PORTMESSAGE poi(esp+c);db poi(esp+c) I 

(poi(poi(esp+c))&0xffff)+0xl8;gc;};.if(poi(esp+0xl4)!=0){r @$t0 = poi(esp+0xl4);.printf 
\"recv:\";bp poi(esp) \".process;.if(poi(@$teb+20) = @$tlO){r @$tl = 
(poi(@$tO)&Oxffff)+Oxl8;dt_PORT_MESSAGE @$tO;!alpc /lpp;!alpc /m poi(@$t0+0xl0);db 

@$t0 I @$tl;bc 2;gc;}.else{gc;}\";gc;}}.else {gc;}}.else {gc;}}" _ 

This can help us to know when the ALPC port is created. 
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Please be noted that this hook is a global hook. You need to filter messages by process id like 
this showing. 

Hook NtAIpcCreatePort: 


bp ntINtAIpcCreatePort ".process; .printf \"PID:%x PortHandle:%x ObjectAttributes:%x 
MaxConnectionlnfoLength:%x MaxMessageLength:%x MaxPoolUsage:%x 
\r\n\",poi(@$teb+20),poi(esp+0x4),poi(esp+0x8),poi(esp+0xc),poi(esp+0xl0),poi(esp+0xl4);" 
This can help us to know when the ALPC port created is. 

Hook NtAIpcConnectPort: 


bp ntINtAIpcConnectPort ".process; .printf \"PortHandle:%x PortName:%msu 
ObjectAttributes:%x PortAttributes:%x Flags:%x RequiredServerSid:%x ConnectionMessage:%x 
BufferLength:%x OutMessageAttributes:%x lnMessageAttributes:%x Timeout:%x 
\r\n\",poi(esp+0x4),poi(esp+0x8),poi(esp+0xc),poi(esp+0xl0),poi(esp+0xl4),poi(esp+0xl8),poi( 
esp+0xlc),poi(esp+0x20),poi(esp+0x24),poi(esp+0x28),poi(esp+0x2c)" 

This can help us to know when the port is connected and what the name of the port is. 

Hook NtAIpcAcceptConnectPort: 


bp nt!NtAIpcAcceptConnectPort ".process; .printf \"PortHandle:%x ConnectionPortHandle:%x 
Flags:%x ObjectAttributes:%x PortAttributes:%x PortContext:%x ConnectionRequest:%x 
ConnectionMessageAttributes:%x AcceptConnection:%x 

\r\n\",poi(esp+0x4),poi(esp+0x8),poi(esp+0xc),poi(esp+0xl0),poi(esp+0xl4),poi(esp+0xl8),poi( 
esp+0xlc),poi(esp+0x20),poi(esp+0x24); " 

This can help us to know when the connection been accepted is. 


Testing flow: 
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.logopen "metroapp.txt" 




Hook ntINtAIpcCreatePort enable 




Open Metro App 

~r 

Hook 

ntdll! NtAIpcSend WaitReceivePort 


First, open a log file to write to. Second, Hook on NTAIpcCreatePort function, and then we can 
know when port is created. Third, launch the metro-style-app, then your hook will get a process 
ID. Fourth, Hook on NtAIpcSendWaitReceivePort function to see the data, to see what is 
sending and what is receiving. 


And following is the data sample that we intercepted: 


ncalrpc:[\\Sessions\\l\\AppContainerNamedObjects\\S-l-15-2-1115239912-5888679- 
3094415206-3103815194-10819155-2778485781-2267460753\\RPC 

Control\\QLE9517A3676FBEC77BBFB0BB30B841] _ 

By the script we have just mentioned, the data transmitted can be caught in windbg. We can 
see strings like this when ALPC ports are created. 


3.4 Fuzzing of ALPC communication 

We know how to monitor the ALPC communication. Now we want to fuzz the ALPC 
communication. We can write a script to test ALPC protocol automatically, and keep sending 
malformed data to NtAIpcSendWaitReceivePort. 
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4. Attack COM server 

4.1 COM on Windows 8 

The attack in the upper layer can be achieved by COM. Similarly, we would like to test Metro 
style apps using COM. One thing needs to be noted first, in win8 & win7, the base address we 
get by InlnitOrder.blink is kernelbase.dll instead of kernel32.dll. Also, in win8, some API in 
ole32.dll must be called through combase.dll. The COM in WinRT utilizes some private API in 
Ro* API, which can be directed used by us while developing WinRT shellcode. 


4.2 Purpose of COM Testing 
Test stability of COM server 

The first, we want to test the stability of COM servers, and want to look for the problem like 
memory corruption. 

Test functionality of COM server 

Also, we want to test the functionality of COM servers. There might be some useful functions 
can help us to do privileged operations. There might be some useful functions can help us to do 
privileged operations. 
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4.3 The Target - RuntimeBroker and Other COM server 

The Metro style apps majorly communicate with the Broker process - RuntimeBroker. So 

RuntimeBroker is the first target. 



We can use shellcode to call COM APIs, so is it possible to use COM to communicate with other 
COM servers? The answer is "Yes". 



Other COM 
Servers 


1 



COM servers usually provide services for other program. So looking for a useful COM server 
might be a chance to escape from the sandbox. 

And sometimes you can find a COM server with high privilege, for example: 
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rs vchost.exe 

908 3.39 

40.632 K 

(ij! das Host exe 

2880 

8.236 K 

|ij]WUDFHost.exe 

3568 

1.424 K 

H TabTrp.™ 

1140 0.74 

8.268 K 


43.51 G K Host Process for Windows S... Microsoft Corporation System 

17.868 K Device Association Framewo... Microsoft Corporation System 

4.084 K Windows Driver Foundation Microsoft Corporation System 

23,520 K Touch Keyboard and Handw... Microsoft Corporation High 


In this sample, TabTip is a COM server with 'High' privilege. Compromised this COM server 
means get the highest permission. 


Following is the list of available COM server list. 



There are so many COM servers. How do we know which one we can use? 
We need to check the permission: 
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One thing we have to note is the launch permission of COM server, it can only be launched by 
Metro APP if ALL APPLICATION PACKAGE permission is granted. 

As the example, this COM server allows Metro style apps to use. 

w ,i_. “no mumper 

(D E50C7BB FAA7-4A7F-BA47-B FOEfCFE433D) 

iRcgstiy Inptcfnenlation Adiviicri Launch ParniisBECrs Aoobm PwiTMora 

O Use default launch peimiaaiona 

(?) Use thesftilftixfr pefmiiskjrii 

LlBan'ljTDUp Can Launch 

APPLICATION PACKAGE AUTTORITYV^LL APPLICA. Y« 

NT AUTHQRITYVSELF Yes 


So this one has to be granted, and then metro style app can use this COM server. We are 
interested in this kind of COM servers. 
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4.4 Find Interface and Functions 

After decide the target, now we need to see how to use this COM service (server), i.e. looking 
for the specification of interface and functions. 


Using the tool 'ComView' can get the interface list and how many functions in the vtable. 


Object: CLSIDJITDebuggingHosl 


■ID | Name 

| Add InterF . 

Add VI able | 

{OOOOOOOO-DDDDaOOa-roOOOOO IUnknown 

Q2C23F60 

775381F4 

lOQOaaaBO-DDDO-aOOO-ODCD-aDD... IMulliQl 

02C23FG0 

7753E1F A 

ICOOOOI 3D OOOO-OOOO-CQQQ-DD. IdicnlSccurty 

02C23F3C 

77536258 

F3F23-7777-42E D-BA74-34, IJlTDebuflon^ostS 

QQ3DBEA4 

6O5E8A20 

{SG.4B 97F3GC4M213-G3GF-55.. 1J1T D ebuggrcH aril 00 

0030GE5C 

GF0GOO3O 



Vtable 1 J ITDebugging Hgst2 E 



WName 

| Offset 

1 Valj? 



U 

0 

6D5E2E32 



1 

A 

ED5E2EG2 



2 

8 

6D9E2E86 

outgoing Interfaces 


3 

12 

7760741F 

1 no 






The tool COMView can help us to enumerate COM server interfaces. After got the interface, we 
need to get functions. COM View can only retrieve function vtable address, (like picture 
showing). However, IDApro can dig more details such as function name and parameters. 



4.5 Start the Testing 

Use CoCreatelnstanceQ could trigger start of the COM server, then it could get an object 
pointer. With the pointer, we can iterate all functions. Call these functions and start to test. 
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etroAPP Fuzzing Attack 


Metro 
Inline ASM 


CoCreatelnstance 


VtFuncl 

VtFunc2 

VtFunc3 


Medium or 
High 


4.6 Use Desktop App to Test 

Testing COM servers from Metro style apps is kind of tough jobs, since we need to write 
shellcode/asm doing everything. Actually we can test COM server using Desktop app, because: 

• It is much easier: we can use most of APIs. 

• It has better error handling: using desktop app, we can do error handling easily. 

• Debug: we can attach COM server to debug. 
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4.7 Attack Trend? 

Since there are more and more application sandbox, using COM communication to bypass 
sandbox might become an attack trend. 


5. Attack WinRT API 

5.1 WinRT APIs Test 

This is the architecture of WinRT API: 
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Metro style application APIs 




User Interface 



HTML5/CSS 

XAML 

DirectX 

Controls 

Data Binding 

SVG 

Tiles 

Input 

Accessibility 

Printing 


Devices Communications & Data 

Sestesasaa Portable Sensors NFC Contracts Local & Cloud Storage 



Playback Capture Etayjg. Effects 





Fundamentals 



Applica: 

ion Services 

Threading/Timers 

Memory Management Authenticat 

ion Crypti 

agraphy Globalization 


You must know API before fuzzing it. The metro style app API can be categorized in Ul, Device, 
Media, Communication & data and Fundamentals. 

As for the testing to WinRT, we can apply the same methods with other application fuzzing, 
such as IE : append some abnormal arguments or tags to all methods, and see if something was 
going wrong. All we have to do is iterating all mutations and combinations through each API. 


5.2 A Broker Process Memory Corruption 

During the testing, we discovered a memory corruption problem in a broker process - 
OpenWith.exe. And we found this is possible exploitable: 
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We used (exploitable Crash Analyzer (MSEC Debugger Extension), a windbg plugin to 
investigate this bug and found it to be exploitable. Like picture shows: Call dword ptr [ecx+18h]. 
And it also shows "PROBABLY EXPLOITABLE" 
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The PoC Code: 


var savePicker = new Windows.Storage.Pickers.FileSavePicker(); 

savePicker.suggestedStartLocation = 

Windows.Storage.Pickers.PickerLocationld.desktop; 
savePicker.defaultFileExtension = ".docx"; 
savePicker.suggestedFileName = "New Document"; 

savePicker.fileTypeChoic'es.insert("Microsoft Word Document", [".docx", 

".doc"]); 

savePicker.fileTypeChoices.insert("Plain Text", [".txt"]); 
savePicker.commitButtonText = "Oday_demo"; 
var userContent = "hello world"; 

savePicker.pickSaveFileAsync().then(function (file){ 
if (file) { 

var options = new Windows.System.LauncherOptions() ; 
options.displayApplicationPicker = true; 

Windows.System.Launcher.launchFileAsync(file, options); 

} 

J_ 
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This bug was fixed in Release Preview version, we don't know if there are chances to see it 
again in the future. But it proved our testing methods to be workable. 


6. Attack Design Logic 

Exploiting metro style apps need so much hard work? Not exactly, we are going to show you 
some design problem that we can still use to easily bypass sandbox. We are going to show you 
how to bypass restriction of Internet connection, execute program, and file access. 


6.1 Bypass Internet Connection Limitation 

Even you didn't grant the Internet Connect permission to app, the app still have some way to 
send information to Internet. 

• Launch other applications to connect instead. For example, launch Metro Internet 
Explorer, and specify a URL with information that you want to send in URL parameters. 

• Use URL protocol. For example, open a mms:// URL. It will launch associated application 
to connect. 

• Open a document. A malicious app may write/drop a document, and the document may 
embed some object which could connect to Internet. Open the document, the 
connection will be created. 


Internet 

> 

r 

Metro 

xt _: 

App 

— -1 


1) a 

i 
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Patch information: (from MSRC) 

Such undesirable activities are highly detectable by either users or the AV industry, and once 
reported to Microsoft, we have the ability to remove the offending app from all user machines, 
thus protecting Windows 8 users. 

Exploit scenario: 


Malicious site 


2. mms://Malicious_site/information?data=ab41 962ab 


No Intern et ca pability 

Metro App 


0 


1. Access local sensitive information 


Will user be aware of media player is sending information to Internet, or they only know media 
player is trying to play a video? 


6.2 Bypass Launch Program Limitation 

It is not allow launching other program/application in Metro Style app. However, we have 
discovered some ways to bypass the limitation: 

• Inline asm and shellcode: although there is no API for you to launch another application. 
We found that we can still launch application using inline asm or shellcode technique. 

• ClickOnce package (.Application/.xbap) is executable: once you can write or drop 
a .xbap file, you can install and run programs. 

• DLL hijacking: during the test, we found there are still some DLL hijacking problems in 
Windows 8 application. Once you can find a DLL that will be loaded by an application (ex: 
office), you can easily execute instructions in the DLL file. 
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Launch cmd.exe in a Metro Style App: 



Launch an .application package: 
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For the DLL hijacking, we found that IE in debug build version has a DLL hijacking vulnerability: 
drop a file and rename it to traceextn.dll, as long as IE is launched, this file will be loaded by IE 
and execute with IE privilege, which can lead to the metro-app restriction bypass. 



Patch Information 

(ClickOnce) ClickOnce problem will be fixed in next Windows 8 release. 

(DLL HijackingjWe would consider this type of exploit a vulnerability in the desktop applications 
rather than a vulnerability in the metro app or the platform. We continue to address DLL 
hijacking bugs in security updates as detailed in our security advisory for Insecure Library 
loading. 


28 





















6.3 Bypass File/Folder Access 

During the test, we found an issue in a broker process: PickerHost.exe. 

Even you didn't grant file system access to App, the App still can use SavePickFile/PickFolder to 
let user choice folders they want to access, such as save a file in user-specified folders. 

The PickerHost.exe is running with Medium permission, and we found the process can be used 
to have full control of the folder that user specified. When user is picking a folder, once user 
click/open a folder, the app has full control to the folder (medium permission). Then the app 
can read/write all files in the folder, even modify content of files (ex: change file to be malicious, 
or read files and send to Internet). 

Patch Information (From MSRC) 

This is a deliberate feature, and fully under the user's control. Users should not click "ok" to the 
File picker dialog if they do not want the app to have access to that folder tree. We consider this 
under the user's control and as such do not view it as a threat. 


7. Conclusion 

In this paper, we introduced the security design of AppContainer, the methodology of Metro 
style app vulnerability discovery, and the issues we have discovered. 

Windows 8 introduces a lot of security improvements. We agree it is much more secure than 
before. For the Metro style apps, the sandbox and the design of Windows store can provide a 
trustable environment for users. 

However it doesn't mean bad guys don't have any chances. After review the design, there are 
still some problems that can be leveraged by bad guys. 
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9. Appendix 


9.1 Clsid with "ALL APPLICATION PACKAGE" launch permission 
{69B1A7D7-C09E-40E9-A1DF-688007A2D9E4} //i mebroker.exe 
{9A4B1918-0A2F-4422-89DD-35B3F455999C} //imebroker.exe 
{A4FBCBC6-4BE5-4C3D-8AB5-8B873357A23E} //imebroker.exe 
{BA6EE7D8-190D-423A-93CC-1270E6599195}//imebroker.exe 
{C658E5BD-817B-41C8-8FB6-5B2B386A40EA}//imebroker.exe 
{DE50C7BB-FAA7-4A7F-BA47-BF0EFCFE433D} //imebroker.exe 
{DF46CD07-4F86-42F0-8FA9-35C3CE55D77B}//imebroker.exe 

{7FC12E96-4CB7-4ABD-ADAA-EF7845B10629}//Credentia I UIBroker.exe 
{31337EC7-5767-llCF-BEAB-00AA006C3606}//Auth Host.exe 
{36BBB745-0999-4FD8-A538-4D4D84E4BD09}//CLSID_JITDebuggingHost 
{228826AF-02El-4226-A9E0-99A855E455A6}//lmmersive Shell Broker unknow 
{A47979D2-C419-11D9-A5B4-001185AD2B89}//Network List Manager unknow 
{C4D6E899-E38A-4838-9188-0B98EE3175E6}//ProgrammabilityManager Class unknow 
{D63B10C5-BB46-4990-A94F-E40B9D520160}//RuntimeBroker.exe _ 
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{549E57E9-B362-49Dl-B679-B64D510EFE4B}//ShareFlow 

{7B6EAlD5-03C2-4AE4-B21C-8D0515CC91B7}//Shell Create Object Task Server unknow 
{F1425A67-1545-44A2-AB59-8DF1020452D9}//Spell Checking Host Class 
{D6E88812-F325-4DCl-BBC7-23076618E58D}//TsfManager Class unknow TabTip.exe 
{6B19643A-0CD7-4563-B710-BDC191FCAD3B}//TSFstateManager Class unknow TabTip.exe 
{054AAE20-4BEA-4347-8A35-64A533254A9D}//high UIHost Class TabTip.exe 
{4CE576FA-83DC-4F88-951C-9D0782B4E376}//UIHostNoLaunch Class unknow TabTip.exe 
{2F93C02D-77F9-46B4-95FB-8CBB81EEB62C}//DevicesFlow 

{19C65143-6230-42FA-A58E-7D9FA9BE2EB5}//WorkspaceBroker Class wkspbroker.exe 


9.2 OpenWith.exe Vulnerability Details: 


0:000> [analyze -v 


Exception Analysis 


TRIAGER: Could not open triage file : C:\Program Files\Windows 
Kits\8.0\Debuggers\x86\triage\guids.ini, error 2 
TRIAGER: Could not open triage file : C:\Program Files\Windows 
Kits\8.0\Debuggers\x86\triage\modclass.ini, error 2 

FAULTING_IP: 

twinui!CImmersiveOpenWithUI::_CreateAndPositionPopup+172 
6e0f30b4 8b08 mov ecx,dword ptr [eax] 

EXCEPTION_RECORD: ffffffff — (.exr Oxffffffffffffffff) 

ExceptionAddress: 6e0f30b4 

(twinui!CImmersiveOpenWithUI::_CreateAndPositionPopup+0x00000172) 
ExceptionCode: c0000005 (Access violation) 

ExceptionFlags: 00000000 
NumberParameters: 2 

Parameter[0]: 00000000 
Parameter[1]: 00000000 
Attempt to read from address 00000000 

PROCESS_NAME: OpenWith.exe 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%081x referenced 
memory at 0x%081x. The memory could not be %s. 
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EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The 
memory at 0x%081x. The memory could not be % 


at 0x%081x referen 


EXCEPTION PARAMETERl: 00000000 


teAndPositionPopup+17 
cx,dword ptr [eax] 


NTGLOBALFLAG: 400000 


APPLICATION VERIFIER FLAGS: 0 


FAULTING THREAD: 00000bc4 


BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_BE FORE_CALL 

PRIMARY PROBLEM CLASS: NULL POINTER READ BEFORE CALL 


DEFAULT_BUCKET_ID: NULL_POINTER_READ_BEFORE_CALL 

I ,AST_CONTRCI,_TRANSFER: from 6e0f26e6 to 6e0f30b4 
STACKJEEXT: 

00d3fdc4 6e0f26e6 0107aea0 0107af3c OOflOflc 

twinui!CImmersiveOpenWithUI::_CreateAndPositionPopup+0xl72 

00d3fdf8 6e0f21fd 0107aea0 00000001 01072528 

twinui!CImmersiveOpenWithUI::_CreateAndShow+0x2d4 

00d3felc 012925a7 OOflOflc 01072548 0107aeec 

twinui!CImmersiveOpenWithUI::CreateAndShowFromDelegateExecute+0xc7 
00d3fe68 01292e3c 00000001 00000020 00000000 
OpenWith! COpenWithLaunch^S': :_Dblxecute+0x6e. 

00d3fe94 012957db 01290000 00000000 00ecl394 OpenWith!wWinMain+Oxee 
00d3f f 24 7 4fbldl7 7f8e4000 00c3ff70 771f0c25 OpenWith ! ir.itterm_e t 0x1 7c 
00d3ff30 771f0c25 7f8e4000 9c280193 00000000 kernel32!BaseThreadlnitThunk+O 

00d3ff70 771fObfb 01295873 7f8e4000 ffffffff ntdll! RtlUserThreadStart+0x2 

00c3ff88 00000000 01295873 7f8e4000 00000000 ntdll! RtlUserThreadStarnI 0x1b 


ACK COMMAND: ~0s; 


SYMBOL STACK INDEX: 0 


!ClmmersiveOpenWithOl:: CreateAndPositionPoPUD+172 




DEBUG_FL] 

P_IMAGE_TIMESTAM 

P: 4f 

3f07 6c 

FAILURE ] 

3UCKET ID: 



NOLL POINTER READ BEFORE 

CALL 

C0000005 twinui. dll! CImmersiveOpenWithflI.|: Crea 

teAndPos: 

itionPopup 



SOCKET I'D* 



applicat: 

ION FAULT NULL POINTER 

READ BEFORE CALL twinui!CImmersiveOpenWithUI:: 

_Creat eAndFositionPopup+ 

172 


WATSON S r 

rAGEONE URL: 



http://w< 

atson.microsoft. 

com/St 

ageOne/OpenWith. exe/6 2 8250 0/4f3f12b8/twinui 

dll/6_2_< 

3250_0/4f3f076c/ 

c0000005/001330b4.htm?Retriage=l 

Followup 

: MachineOwner 



0:000> u 

6e0f30b4 1 20 



twinui!ClmmersiveOpenWit 

h O-l: : 

CreateAr.dPosi.ti onPopup I 0x172 : 

6e0f30b4 

8b08 

mov 

ecx,dword ptr [eax] 

6e0f30b6 

8d5584 

lea 

edx,[ebp-7Ch] 

6e0f30b9 

52 

push 

edx 

6e0f30ba 

50 

push 

eax 

6e0f30bb 

ff5118 

call 

dword ptr [ecx+18h] 

6e0f30be 

8bf 0 

mov 

esi,eax 

6e0f30c0 

85f 6 

test 

esi,esi 

6e0f30c2 

783b 

js 


twinui!ClmmersiveOpenWit 

hUI: : 

CreateAndPositionPopup+Oxlbd (6e0f30ff) 

6e0f30c4 

d94584 

fid 

dword ptr [ebp-7Ch] 

6e0f30c7 

e8da261900 

call 

twinui! ftol2 sse (6e2857a6) 

6e0f30cc 

d94588 

fid 

dword ptr [ebp-78h] 

6e0f30cf 

89458c 

mov 

dword ptr [ebp-74h],eax 

6e0f30d2 

e8cf261900 

call 

twinui! ftol2 sse (6e2857a6) 

6e0f30d7 

8b7db0 

mov 

edi,dword ptr [ebp-50h] 

6e0f30da 

8d7324 

lea 

esi,[ebx+24h] 

6e0f30dd 

8b0e 

mov 

ecx,dword ptr [esi] 

6e0f30df 

894590 

mov 

dword ptr [ebp-70h],eax 

6e0f30e2 

85c9 

test 

ecx,ecx 

6e0f30e4 

7409 

je 


twinui[ClmmersiveOpenWit 

hUI: : 

CreateAndPositionPopup+Oxlad (6e0f30ef) 

6e0f30e6 

832600 

and 

dword ptr [esi],0 

6e0f30e9 

8b01 

mov 

eax, dword ptr [ecx] 

6e0f30eb 

51 

push 

ecx 

6e0f30ec 

ff5008 

call 

dword ptr [eax+8] 

6e0f30ef 

8b07 

mov 

eax,dword ptr [edi] 

6e0f30f1 

56 

push 

esi 

6e0f30f2 

8d4d8c 

lea 

ecx,[ebp-74h] 

6e0f30f5 

51 

push 

ecx 

6e0f30f6 

ff731c 

push 

dword ptr [ebx+lCh] 

6e0f30f9 

57 

push 

edi 

6e0f30fa 

ff501c 

call 

dword ptr [eax+lCh] 

6e0f30fd 

8bf 0 

mov 

esi,eax 

6e0f30ff 
0:000> r 

8b4da4 

mov 

ecx,dword ptr [ebp-5Ch] 

eax=00000000 ebx=00d3f7dc ecx= 

00000400 edx=00000000 esi=00d3f74c edi=00000000 








